mail server troubles because of spammer

[anand]

[quote:f27a8db505][i:f27a8db505]Originally posted by Juanra[/i:f27a8db505]

antirelayd I would say.[/quote:f27a8db505]

What do you mean ?? Can you please explain ??

regards,

Anand

[Juanra]

I think it is antirelayd that updates /etc/relayhosts regularly. You may inspect its source code to see how it works, it's in Perl.

[Website Rob]

You are somewhat on the mark, Juanra. I have opened a ticket on this issue [ https://tickets.cpanel.net/review/?id=4727&secid=ILIPhivSDX ] and even though I've verified what a big security hole this is and how others have changed the POPAUTH settings, support respones todate, do not seem to see it that way.

I have done some testing with the &antirelayd& file and do get better results. I've been able to cut it down from 60 to 30 minutes and still looking for zero. The problem I'm running into though, everyday Cpanel is updated (at 11:23 MST) and overwrites the file.

Currently this file [ # /usr/sbin/antirelayd* ] is owned by &root& and 755 permission. Does anyone know how one would change/setup permissions, so Cpanel updates do not overwrite the file while still allowing it to work for all Server accounts?

[kensmith]

You can prevent update of any particular file with
chattr +i filename

However, reading through the other parts of this thread, I don't see this as a particularly big security problem. As it stands now, relaying is permitted from any IP address that has checked mail within the last 30 minutes. Unless a spammer has access to an IP address used by one of your email users, the 30 minutes is immaterial.

Right?

[Website Rob]

Thanks for the tip, but I wouldn't say it's immaterial.

As I pointed out in my submitted ticket, if this security hole becomes known to Spammers, they will start to actively seek out Domains hosted with Cpanel and use them for Spamming. They dont' need an IP address (since you cannot send eMail that way) and by using someone else's Domain Name to access their Mailbox, the Domain Name owner can be accused of Spamming and it would be a valid accusation -- even if the person has no knowledge of it.

Do the testing as I have done, and detailed in the ticket submission. See how easy it is to Spam your own eMail addresss. Then start asking about how to change the POPAUTH setting in WHM/Cpanel and you'll discover, it seems to be right up their with unraveling Mysteries of the Universe -- or so it seems anyway.

[kensmith]

I think I have a solution for you, and then another question.

I'll preface this with a disclaimer: I'm new to exim, but I think I understand this process. If not, someone please correct me.

You can tell exim to not allow relaying except via SMTP authentication, by changing /etc/exim.conf

The key lines are these:

host_accept_relay = +allow_address : lsearch;/etc/relayhosts : localhost
host_auth_accept_relay = *

The first, host_accept_relay is where exim is told to allow un-authenticated relay from the addresses listed in /etc/relayhosts
(Antirelayd is responsible for refreshing /etc/relayhosts periodically.)
The second, 'host_auth_accept_relay = *' says to allow anyone to relay, if they authenticate sending with a username and password.

Since you want to rely only on authenticated SMTP, you should be abled to remove the 'lsearch; /etc/relayhosts' bit in host_accept_relay.
That way, no unauthenticated mail can be sent, except from localhost.


Now, my question: Is my understanding inaccurate? For a spammer to be successful in sending through your system, his
unauthenticated SMTP request would have to originate from the same IP address that one of your legitimate users had checked POP mail on within the last 60 minutes.

If that's not true, then I'm concerned as well, and I'll test via another network, after insuring that I disable my POP mail-checks beforehand.

[Radio_Head]

I tried this

host_accept_relay = +allow_address : localhost
host_auth_accept_relay = *

and restarted exim , but I was not able to send email with my eudora .